The Apache web server can display the contents of directories to users when there is no default index file (such as index.html) present. This feature is managed by the mod_autoindex module. When the directory listing is enabled, if a user accesses a directory without an index file, they will see a list of files and folders within that directory.
Common default index files include:index.html, index.htm, index.php, and welcome.html. These can be configured in DirectoryIndex directive within the Apache configuration file.
While directory listing can be useful for openly sharing files, it might inadvertently expose sensitive files or the server's directory structure. To improve security, it's recommended to disable this feature. In this guide, we'll explore three primary methods to achieve this in Apache:
Methods to disable directory listing in Apache:
For those using platforms like cPanel, there are platform-specific methods to disable Apache's directory listing.
A direct approach is to deactivate the mod_autoindex module. Note that this will affect all sites hosted on the server.
$ sudo a2dismod --force autoindex # Ubuntu, Debian and SUSE Module autoindex disabled. To activate the new configuration, you need to run: systemctl restart apache2
|Options||Debian, Ubuntu||openSUSE and SLES||Fedora Core, CentOS, RHEL||macOS||homebrew||xampp|
|Modules to uninstall||none|
|Loadmodule directive||n/a||#LoadModule autoindex_module <module_locations>/mod_autoindex.so|
You can specifically deny directory listings by adding -Indexes to the Options directive within Apache's configuration file.
$ sudo vi /etc/apache2/other/mysite.conf
The configuration could be set globally or from within VirtualHost configuration.
<Directory /var/www/mysite> Options Indexes FollowSymLinks </Directory>
<Directory /var/www/mysite> Options -Indexes FollowSymLinks </Directory>
Notice that it's -Indexes and not +Indexes
If you don't have root access or prefer to control directory listing for specific directories, utilize the .htaccess file:
$ sudo vi /var/www/mysite/.htaccess
Ensure that the Apache configuration allows the use of .htaccess files by checking the AllowOverride directive is set to All or at least Options for the relevant directory.
$ sudo systemctl restart apache2
Comment anonymously. Login not required.